Authentication ?

qdivya1 at avnika.corp.mot.com qdivya1 at avnika.corp.mot.com
Thu Jul 26 16:30:10 UTC 2001



Graeme,

I realize that AUTHENTICATION works against LDAP w/o any problems.

What I really wish to focus on is AUthorization. The idea I had been
mulling over in my mind was something akin to the following:

---------------------------------------------------------------------

For each NewsGroup, create a container group listing the users
that are allowed to access that news group.

The listing can be of two formats, either an explicit list of users, or
a policy/rule that describes a method of qualifying users (or a
combination).

If a "corresponding" container group is not listed for a newsgroup, see if
there is one that exists for its parent newsgroup ... If the parent does
not have a container group, then check its parent etc. ...

A default authorization rule would apply to the "root" news group.

---------------------------------------------------------------------

Hopefully that helps.

Regards






On Thu, 26 Jul 2001 graeme+inn-workers at mathie.cx wrote:

> Date: Thu, 26 Jul 2001 08:15:29 +0100
> From: graeme+inn-workers at mathie.cx
> To: qdivya1 at avnika.corp.mot.com
> Cc: inn-workers at isc.org
> Subject: Re: Authentication ?
>
>
> On Wed, Jul 25, 2001 at 01:38:49PM -0500, qdivya1 at avnika.corp.mot.com wrote:
> >
> > I am interested in exploring two items:
> >
> > (1) Authenticating users against LDAP, and
>
> This works, using pamckpasswd and pam_ldap.
>
> > (2) Authorizing their access into Newsgroups based upon their membership
> > in a group ..
>
> Could you explain what you mean by this?  If you mean that only users in
> a particular group (say group 'reader') can login to the news server,
> then that is trivial.  Your nnrpd PAM configuration would like something
> along the lines of:
>
> nnrpd   auth    requisite    pam_nologin.so
> nnrpd   auth    required     pam_wheel.so group=reader
> nnrpd   auth    required     pam_ldap.so
>
> If instead you're looking for particular groups to have access to
> particular hierarchies, a bit of hacking would be involved.  It would
> be possible to have an authenticator which returns both a user and a
> group[1].  That would require modifying nnrpd/perm.c to grok the newly
> returned field.
>
> It would then be possible to have access stanza which allows access to
> hierarchies based on group.  Hrm, seeing as I'm planning on working on
> code in that general area this weekend, I may look at implementing that
> as a first step.
>
> Of course, it's then getting to the stage that the authenticator may as
> well return a Newsgroups: line which lists the newsgroups that a user
> can access...
>
> [1] Possibly a list of groups.
> --
> graeme+sig at mathie.cx                          http://www.mathie.cx/~graeme/
>
>

Divya Sundaram ----------------------------- CONDITUR IN PETRA
We don't need more strength, or greater opportunity. What we
need is to use what we have.                  - BASIL S. WALSH
--------- Motorola OneIT -- Enabling the Enterprise ----------



More information about the inn-workers mailing list